On January 5, 2021, the Council of the European Union released a new draft version of the ePrivacy Regulation. The draft regulation is intended to replace the current ePrivacy Directive since the European Commission approved the first draft ePrivacy Regulation back in January 2017. In fact, this new draft version is the 14th version in the last four years.

If approved, the ePrivacy Regulation will regulate electronic communications service providers who process data of individuals residing in the EU. Such regulations would include rules for (1) collecting user "cookies"; (2) collecting location-related data; (3) unsolicited emails or text messages; and (4) the interception of communications.

As it stands now, the ePrivacy Directive is still in full force and effect. Although the ePrivacy Directive currently has such aforementioned provisions, the ePrivacy Regulation would complete the European Union's General Data Protection Regulation. The fundamental difference between the two being that the ePrivacy Regulation would apply uniformly and be legally binding across the EU. While the ePrivacy Directive currently requires local regulations for implementation; meaning, each member state may have country-specific laws different from other countries. The ePrivacy Regulation would override those laws and create a single data protection standard.

The latest draft of the ePrivacy Regulation primarily adheres to the previous draft, and includes the following additions:

  • Widens the territorial scope of the draft regulation to include areas where member state laws apply by virtue of public international law.
  • Defines "location data."
  • Authorizes the processing of electronic communications, including metadata, for purposes consistent with the initial reason(s) for which the data was first collected.

Although it has taken a few years, we may be getting a finalized ePrivacy Regulation in the near future. Coincidentally mere months before the new draft regulation was announced, France's data protection authority, CNIL, issued two significant fines against market-leading technology companies for breaching the country's laws on the use of cookies. Totaling €135 million, CNIL fined Amazon France Core €35 million, and Google LLC and Google Ireland Limited €100 million. CNIL found that neither Google nor Amazon (1) obtained consent from users before placing cookies on the users' respective devices; (2) adequately informed users about the cookies that were being placed on their devices; and (3) created an adequate opt-out mechanism for users to refuse cookie placement.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.